Isn't that chain supposed to be the FORWARD chain instead? Otherwise, you're jumping to the same chain where the jump occurs. Also, the -I below should be an -A otherwise nothing will ever hit any of the ACCEPT rules.

BTW, this sort of stuff is usually a bad idea to do with iptables for several reasons. For example, you might not know all the IPs a site uses, and even if you did they could change at any time. Squid is a much better tool for this job.

crackyblue

12-11-2009 01:10 AM

Quote:

Originally Posted by win32sux
(Post 3786560)

Isn't that chain supposed to be the FORWARD chain instead? Otherwise, you're jumping to the same chain where the jump occurs. Also, the -I below should be an -A otherwise nothing will ever hit any of the ACCEPT rules.

BTW, this sort of stuff is usually a bad idea to do with iptables for several reasons. For example, you might not know all the IPs a site uses, and even if you did they could change at any time. Squid is a much better tool for this job.

Thanks for that, its working now. Well i have already imposed it already on squid, and its perfectly blocking ultrasurf using urlfilterdb but only when proxy is in non-transparent mode. And since i am in transparent mode, so i worked a way without reconfiguring 1000 workstations.. laziness falls in for now.. :)

i managed also add sites using domain names instead of ip addresses... and it worked fine.. let you know how it is going...

win32sux

12-11-2009 05:07 AM

Quote:

Originally Posted by crackyblue
(Post 3787401)

Thanks for that, its working now. Well i have already imposed it already on squid, and its perfectly blocking ultrasurf using urlfilterdb but only when proxy is in non-transparent mode. And since i am in transparent mode, so i worked a way without reconfiguring 1000 workstations.. laziness falls in for now.. :)

Heh, okay. Of course, you could always automate that if you really wanted to.

crackyblue

12-11-2009 09:58 PM

Quote:

Originally Posted by win32sux
(Post 3787576)

Heh, okay. Of course, you could always automate that if you really wanted to.

Nah, done that already. ultrasurf will change your proxy settings to 127.0.0.1 port 9666. so basically it will be useless to fend off ultrasurf program.

win32sux

12-12-2009 06:15 AM

Quote:

Originally Posted by crackyblue
(Post 3788455)

Nah, done that already. ultrasurf will change your proxy settings to 127.0.0.1 port 9666. so basically it will be useless to fend off ultrasurf program.

WPAD is only meant to allow you to automatically set the proxy configuration on all your clients. That way, you could have Squid run in non-transparent mode, without the need to use iptables for this. Everything would be done with Squid ACLs, and whether or not UltraSurf starts its own proxy on localhost would be irrelevant. So basically, if you did this already and failed, then you did something wrong. Like, perhaps you were still allowing unwanted packets to be forwarded, for example.

jlcerezo

03-28-2010 10:53 AM

hi win32sux! it seems that you have been able to block ultrasurf using squid, even it runs in secured port. My squid config need some tweaking to block utrasurf. I hope you can help me. I will post asap my iptables config and some part of squid.conf..